Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INV NO -609983773 60983768.exe

Overview

General Information

Sample Name:INV NO -609983773 60983768.exe
Analysis ID:715073
MD5:4e06d9889629e7ff0faba3b139dcc950
SHA1:11db4a20ec8fc4a88bc5b75dc5de730e719b9f57
SHA256:341b6ff76b63e3e74b8fd97b301462f9a6544405946271b7766c4ff4c8c28150
Tags:exe
Infos:

Detection

Remcos
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
.NET source code references suspicious native API functions
Machine Learning detection for sample
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • INV NO -609983773 60983768.exe (PID: 6048 cmdline: C:\Users\user\Desktop\INV NO -609983773 60983768.exe MD5: 4E06D9889629E7FF0FABA3B139DCC950)
    • RegAsm.exe (PID: 5168 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
    • RegAsm.exe (PID: 6140 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
    • RegAsm.exe (PID: 6096 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
    • RegAsm.exe (PID: 6112 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
    • RegAsm.exe (PID: 6116 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.8.0 Pro", "Host:Port:Password": "172.111.234.110:5888", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7I9HK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
    • 0x68438:$a1: Remcos restarted by watchdog!
    • 0x68990:$a3: %02i:%02i:%02i:%03i
    • 0x68d15:$a4: * Remcos v
    00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x1b83c0:$a1: Remcos restarted by watchdog!
      • 0x1b8918:$a3: %02i:%02i:%02i:%03i
      • 0x1b8c9d:$a4: * Remcos v
      Process Memory Space: INV NO -609983773 60983768.exe PID: 6048JoeSecurity_RemcosYara detected Remcos RATJoe Security
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
          • 0x60100:$s1: \Classes\mscfile\shell\open\command
          • 0x60160:$s1: \Classes\mscfile\shell\open\command
          • 0x60148:$s2: eventvwr.exe
          0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x661e0:$a1: Remcos restarted by watchdog!
          • 0x66738:$a3: %02i:%02i:%02i:%03i
          • 0x66abd:$a4: * Remcos v
          0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpackREMCOS_RAT_variantsunknownunknown
          • 0x611e4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6020c:$str_b2: Executing file:
          • 0x61328:$str_b3: GetDirectListeningPort
          • 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x60e30:$str_b7: \update.vbs
          • 0x60234:$str_b9: Downloaded file:
          • 0x60220:$str_b10: Downloading file:
          • 0x602c4:$str_b12: Failed to upload file:
          • 0x612f0:$str_b13: StartForward
          • 0x61310:$str_b14: StopForward
          • 0x60dd8:$str_b15: fso.DeleteFile "
          • 0x60d6c:$str_b16: On Error Resume Next
          • 0x60e08:$str_b17: fso.DeleteFolder "
          • 0x602b4:$str_b18: Uploaded file:
          • 0x60274:$str_b19: Unable to delete:
          • 0x60da0:$str_b20: while fso.FileExists("
          • 0x60749:$str_c0: [Firefox StoredLogins not found]
          0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 11 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: INV NO -609983773 60983768.exeVirustotal: Detection: 9%Perma Link
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR
            Machine Learning detection for sample
            Source: INV NO -609983773 60983768.exeJoe Sandbox ML: detected
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpackMalware Configuration Extractor: Remcos {"Version": "3.8.0 Pro", "Host:Port:Password": "172.111.234.110:5888", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7I9HK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
            Source: INV NO -609983773 60983768.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 172.111.234.110
            Source: INV NO -609983773 60983768.exeString found in binary or memory: http://fsf.org/
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, INV NO -609983773 60983768.exe, 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: INV NO -609983773 60983768.exeString found in binary or memory: http://itextpdf.com/terms-of-use/
            Source: INV NO -609983773 60983768.exeString found in binary or memory: http://www.gnu.org/licenses
            Source: INV NO -609983773 60983768.exeString found in binary or memory: http://www.gnu.org/licenses/
            Source: INV NO -609983773 60983768.exeString found in binary or memory: http://www.gnu.org/licenses/gpl-faq.html#FontException
            Source: INV NO -609983773 60983768.exeString found in binary or memory: https://opensource.bulkpdf.de/
            Source: INV NO -609983773 60983768.exeString found in binary or memory: https://opensource.bulkpdf.de/Whttps://opensource.bulkpdf.de/documentation
            Source: INV NO -609983773 60983768.exeString found in binary or memory: https://opensource.bulkpdf.de/documentation

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: INV NO -609983773 60983768.exeStatic PE information: No import functions for PE file found
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: INV NO -609983773 60983768.exeBinary or memory string: OriginalFilename vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.242964715.0000013DA2109000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exe, 00000000.00000000.237710745.0000013DA1F42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBulkPDF.exe0 vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.243176170.0000013DA2420000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exeBinary or memory string: OriginalFilenameBulkPDF.exe0 vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exeVirustotal: Detection: 9%
            Source: INV NO -609983773 60983768.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: INV NO -609983773 60983768.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\INV NO -609983773 60983768.exe C:\Users\user\Desktop\INV NO -609983773 60983768.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\INV NO -609983773 60983768.exe.logJump to behavior
            Source: classification engineClassification label: mal76.troj.evad.winEXE@11/1@0/0
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: INV NO -609983773 60983768.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: INV NO -609983773 60983768.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeCode function: 0_2_00007FFDC3A1000A push fs; ret 0_2_00007FFDC3A1004B
            Source: initial sampleStatic PE information: section name: .text entropy: 7.3605775158149305
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe TID: 5164Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: INV NO -609983773 60983768.exe, BIDEN_HARRISu003du003e1housand/BIDEN_HARRISu003du003eFollo8ing.csReference to suspicious API methods: ('BIDEN_HARRIS=>6housand', 'VirtualProtect@kernel32.dll'), ('BIDEN_HARRIS=>Contra3t', 'GetProcAddress@kernel32.dll'), ('BIDEN_HARRIS=>Loa8', 'LoadLibrary@kernel32.dll')
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeQueries volume information: C:\Users\user\Desktop\INV NO -609983773 60983768.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Native API            		Path Interception11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Process Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Application Layer Protocol            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory21
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager12
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Software Packing            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
            Process Injection            		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common2
            Obfuscated Files or Information            		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 715073 Sample: INV NO -609983773 60983768.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 76 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected Remcos RAT 2->23 25 3 other signatures 2->25 6 INV NO -609983773 60983768.exe 1 2->6         started        process3 file4 17 C:\...\INV NO -609983773 60983768.exe.log, CSV 6->17 dropped 9 RegAsm.exe 6->9         started        11 RegAsm.exe 6->11         started        13 RegAsm.exe 6->13         started        15 2 other processes 6->15 process5

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            INV NO -609983773 60983768.exe2%ReversingLabsByteCode-MSIL.Backdoor.Remcos
            INV NO -609983773 60983768.exe10%VirustotalBrowse
            INV NO -609983773 60983768.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://geoplugin.net/json.gp/C0%URL Reputationsafe
            https://opensource.bulkpdf.de/Whttps://opensource.bulkpdf.de/documentation0%VirustotalBrowse
            172.111.234.1105%VirustotalBrowse
            https://opensource.bulkpdf.de/documentation0%Avira URL Cloudsafe
            172.111.234.1100%Avira URL Cloudsafe
            https://opensource.bulkpdf.de/0%Avira URL Cloudsafe
            https://opensource.bulkpdf.de/Whttps://opensource.bulkpdf.de/documentation0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            172.111.234.110true
            • 5%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://opensource.bulkpdf.de/Whttps://opensource.bulkpdf.de/documentationINV NO -609983773 60983768.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://opensource.bulkpdf.de/documentationINV NO -609983773 60983768.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://opensource.bulkpdf.de/INV NO -609983773 60983768.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://fsf.org/INV NO -609983773 60983768.exefalse
              		high
              http://geoplugin.net/json.gp/CINV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, INV NO -609983773 60983768.exe, 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://itextpdf.com/terms-of-use/INV NO -609983773 60983768.exefalse
                		high
                http://www.gnu.org/licensesINV NO -609983773 60983768.exefalse
                  		high
                  http://www.gnu.org/licenses/gpl-faq.html#FontExceptionINV NO -609983773 60983768.exefalse
                    		high
                    http://www.gnu.org/licenses/INV NO -609983773 60983768.exefalse
                      		high

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox Version:36.0.0 Rainbow Opal
                      Analysis ID:715073
                      Start date and time:2022-10-03 15:56:20 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 3m 24s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:INV NO -609983773 60983768.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:6
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal76.troj.evad.winEXE@11/1@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 17.9% (good quality ratio 11.2%)
                      • Quality average: 42%
                      • Quality standard deviation: 36.9%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 4
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Excluded IPs from analysis (whitelisted): 23.50.105.163
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\INV NO -609983773 60983768.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\INV NO -609983773 60983768.exe
                      File Type:CSV text
                      Category:dropped
                      Size (bytes):654
                      Entropy (8bit):5.374391981354885
                      Encrypted:false
                      SSDEEP:12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhap+92n4MNQpN9tv:ML9E4KrgKDE4KGKN08AKh6+84xpNT
                      MD5:C8A62E39DE7A3F805D39384E8BABB1E0
                      SHA1:B32B1257401F17A2D1D5D3CC1D8C1E072E3FEE31
                      SHA-256:A7BC127854C5327ABD50C86000BF10586B556A5E085BB23523B07A15DD4C5383
                      SHA-512:7DB2825131F5CDA6AF33A179D9F7CD0A206FF34AE50D6E66DE9E99BE2CD1CB985B88C00F0EDE72BBC4467E7E42B5DC6132403AA2EC1A0A7A6D11766C438B10C3
                      Malicious:true
                      Reputation:moderate, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..

                      Static File Info

                      General

                      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.355734908257647
                      TrID:
                      • Win64 Executable GUI Net Framework (217006/5) 49.88%
                      • Win64 Executable GUI (202006/5) 46.43%
                      • Win64 Executable (generic) (12005/4) 2.76%
                      • Generic Win/DOS Executable (2004/3) 0.46%
                      • DOS Executable Generic (2002/1) 0.46%
                      File name:INV NO -609983773 60983768.exe
                      File size:860672
                      MD5:4e06d9889629e7ff0faba3b139dcc950
                      SHA1:11db4a20ec8fc4a88bc5b75dc5de730e719b9f57
                      SHA256:341b6ff76b63e3e74b8fd97b301462f9a6544405946271b7766c4ff4c8c28150
                      SHA512:03e2bea6b7407de7ea9e62729239c7dff3766ef502d97f9855957a9686876939e8fc3592ddb0bf1737cef965090ffd28c7b689b8bd0dc225e7ad81a1654b3eba
                      SSDEEP:12288:iEP6d1Ttnv8aidSXH1tRBme/yVaBzx1cYYymqn+7F7kBzxopLsk:ie6d1pnv2dE1tRke/e61Ln+eQp9
                      TLSH:7305AE1037966249CC560F711932C2D947793E27BE38C21D74AE708EAF73A278723B66
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....U:c.........."...0.c................ ....@...... .......................`............`................................

                      File Icon

                      Icon Hash:00828e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x400000
                      Entrypoint Section:
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x633A5515 [Mon Oct 3 03:20:53 2022 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:

                      Entrypoint Preview

                      Instruction
                      dec ebp
                      pop edx
                      nop
                      add byte ptr [ebx], al
                      add byte ptr [eax], al
                      add byte ptr [eax+eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x388.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xd1a630xd1c00False0.6498947780095352data7.3605775158149305IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0xd40000x3880x400False0.3857421875data2.94473135225856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_VERSION0xd40580x330data

                      Network Behavior

                      No network behavior found

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:15:57:14
                      Start date:03/10/2022
                      Path:C:\Users\user\Desktop\INV NO -609983773 60983768.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\Desktop\INV NO -609983773 60983768.exe
                      Imagebase:0x13da1f40000
                      File size:860672 bytes
                      MD5 hash:4E06D9889629E7FF0FABA3B139DCC950
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:low

                      General

                      Target ID:1
                      Start time:15:57:16
                      Start date:03/10/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                      Imagebase:0x265ffed0000
                      File size:64096 bytes
                      MD5 hash:2B5D765B33C67EBA41E9F47954227BC3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Target ID:2
                      Start time:15:57:16
                      Start date:03/10/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                      Imagebase:0x14bb8e80000
                      File size:64096 bytes
                      MD5 hash:2B5D765B33C67EBA41E9F47954227BC3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Target ID:3
                      Start time:15:57:16
                      Start date:03/10/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                      Imagebase:0x17a583d0000
                      File size:64096 bytes
                      MD5 hash:2B5D765B33C67EBA41E9F47954227BC3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Target ID:4
                      Start time:15:57:16
                      Start date:03/10/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                      Imagebase:0x2bc03340000
                      File size:64096 bytes
                      MD5 hash:2B5D765B33C67EBA41E9F47954227BC3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Target ID:5
                      Start time:15:57:17
                      Start date:03/10/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                      Imagebase:0x24bc9810000
                      File size:64096 bytes
                      MD5 hash:2B5D765B33C67EBA41E9F47954227BC3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:25.5%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:12
                        Total number of Limit Nodes:0
                        execution_graph 1004 7ffdc3a1382d 1005 7ffdc3a138d2 CreateProcessW 1004->1005 1007 7ffdc3a13a55 1005->1007 1012 7ffdc3a1241d 1013 7ffdc3a12423 LoadLibraryW 1012->1013 1015 7ffdc3a124f6 1013->1015 1008 7ffdc3a1274e 1009 7ffdc3a1275d VirtualProtect 1008->1009 1011 7ffdc3a12831 1009->1011 1016 7ffdc3a12a0b 1017 7ffdc3a13870 CreateProcessW 1016->1017 1019 7ffdc3a13a55 1017->1019

                        Executed Functions

                        Function 00007FFDC3A1382D Relevance: 1.8, APIs: 1, Instructions: 255COMMON
                        Download Yara Rule

                        Control-flow Graph

                        Memory Dump Source
                        • Source File: 00000000.00000002.246430233.00007FFDC3A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3A10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ffdc3a10000_INV NO -609983773 60983768.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 38adadd3c031b2943ec94996ec42a5137bbd580376add03ad6de7c8463d08c3c
                        • Instruction ID: a4d08283030d4c6cc46738535a0cfc906f5ac61e9b842dd4f31f92fedc1ac06f
                        • Opcode Fuzzy Hash: 38adadd3c031b2943ec94996ec42a5137bbd580376add03ad6de7c8463d08c3c
                        • Instruction Fuzzy Hash: C0819C31908A9C8FDB65DF589855BE9BBF0EB99310F10429BD049E7291CB30A985CF81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFDC3A12A0B Relevance: 1.7, APIs: 1, Instructions: 238processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.246430233.00007FFDC3A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3A10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ffdc3a10000_INV NO -609983773 60983768.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 6e101b17986346e55b8871089e6bd99400626db68adbb57911457c44d7179476
                        • Instruction ID: d2005b9073be2f58f916b62a60612d00e3dc943583739377856d7227397adc4f
                        • Opcode Fuzzy Hash: 6e101b17986346e55b8871089e6bd99400626db68adbb57911457c44d7179476
                        • Instruction Fuzzy Hash: 26717971908A5C8FDBA8DF58D855BE9B7F0FB98311F1042AAD449E3291CB30A985CFC1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFDC3A1274E Relevance: 1.7, APIs: 1, Instructions: 175memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.246430233.00007FFDC3A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3A10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ffdc3a10000_INV NO -609983773 60983768.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: a5ae8fd4785237bd19c554f005b0ec53919e0db1cb3c4f5694afc79b2df77545
                        • Instruction ID: 4a9c8a256513ca16c0e5202050d85709bdc4cf87360a416d305bfd71f77b61f6
                        • Opcode Fuzzy Hash: a5ae8fd4785237bd19c554f005b0ec53919e0db1cb3c4f5694afc79b2df77545
                        • Instruction Fuzzy Hash: 53514C30A0C7898FE7199F6C9855AF5BFF0EF56321F0442AFD089D31A2CE64A856C791
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFDC3A1241D Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.246430233.00007FFDC3A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3A10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ffdc3a10000_INV NO -609983773 60983768.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 46fbf8a9004d2be91f674c206eecfec6b4090b108d0a78946be91f8eed5d4978
                        • Instruction ID: c2d98bd5aa83749ed1a4e1812db756f474df4a7ef46dea64a53deec833d586b2
                        • Opcode Fuzzy Hash: 46fbf8a9004d2be91f674c206eecfec6b4090b108d0a78946be91f8eed5d4978
                        • Instruction Fuzzy Hash: B1414631D0CA4C8FDB19DF689849AF97BF4EF65320F04826FD049D3552CB68A452CB91
                        Uniqueness

                        Uniqueness Score: -1.00%